Saturday, April 23, 2011

What It's Like to Get Hit With a DDoS Attack

What It's Like to Get Hit With a DDoS Attack

Google. Twitter. Government websites. Fortune 500 companies. All have been victims of crippling distributed denial-of-service (DDoS) attacks. The attacks have grown in reach and intensity thanks to botnets and a bounty of application flaws. And Akamai Technologies has a seen it all firsthand.

Many people use Akamai services without even realizing it. The company runs a global platform with thousands of servers that customers rely on to do business online. The company currently handles tens of billions of daily Web interactions for such companies as Audi, Fujitsu and NBC, and organizations like the Department of Defense and Nasdaq. There's rarely a moment--if there are any--when an Akamai customer is not under the DDoS gun.

So what's it like to be in charge of this much computing power when the attacker decides to strike? Akamai Security Evangelist Michael Smith recently took an audience at the SecTor security conference through a blow-by-blow account of some recent high-profile cases.

Taking center stage is the massive cyberattack on government websites and others around the world during the Fourth of July long weekend in 2009. In that onslaught, a botnet of some 180,000 hijacked computers hammered U.S. government websites and caused headaches for businesses here and in South Korea.

The attack started that Saturday, knocking out websites for the Federal Trade Commission and the Department of Transportation. US Bancorp, the nation's sixth-largest commercial bank, also took a direct hit. Attackers have also targeted the likes of Amazon, Google and Yahoo. Attacks against Google didn't last long, but when one considers that Google content accounts for about 5 percent of all Internet traffic, the prospect of better-sustained attacks against it is sobering.

When a DDoS is underway, Smith said, customers panic some, but it's not the freak-out you might expect.

"There is a bit of panic if the traffic starts hitting your infrastructure because things start failing over. So you're doing the usual 'restore service' drill, but it's going in multiple directions, and then it seems like all of your infrastructure is in a cascade failure," he said. "Maybe a better way to describe it is that you're scrambling to fix stuff and you don't really have time to panic."

Even in an Akamai environment, if the attackers target dynamic content--which is set to not cache--that goes through Akamai back to your origin, you'll see a traffic spike with your servers, Smith said. "Obviously we have ways to respond after that by caching the dynamic traffic for a small amount of seconds--most dynamic content is actually cacheable for a small period of time because the browser isn't loading it every 3 milliseconds like you might think," he says.

And some people don't panic because they may have been warned of the attack. If you're the target of an activist or protester attack, you might hear about it beforehand as they make plans via online forums.

"There has to be some panic, but then you calm down and realize it's manageable because you have time to react," Smith says. "But during the first 30 minutes of the attack, you're still sitting with your fingers crossed watching to see if anything gets through your defenses."